GitLab

MarcusVRP pushed to branch main at Root / Kubernetes / FluxCD

Commits:

a09c890d

by marcusvrp at 2025-08-08T04:52:21-03:00

Revert "feat: remove nginx"

This reverts commit 556c73cf4e431c42bd755e0923019a4c9b1d9054.

5b280e44
by marcusvrp at 2025-08-08T04:53:19-03:00
```
feat(nextcloud): try using nginx snippet
```

2 changed files:

apps/base/nextcloud/helmrelease.yaml
+ infrastructure/base/controllers/ingress-nginx.yaml

Changes:

apps/base/nextcloud/helmrelease.yaml

@@ -16,9 +16,33 @@ spec:
        flavor: fpm-alpine
      ingress:
        enabled: true
 -      className: cilium
 +      className: nginx
        annotations:
          cert-manager.io/cluster-issuer: letsencrypt-dns01
 +        nginx.ingress.kubernetes.io/server-snippet: |-
 +          server_tokens off;
 +          proxy_hide_header X-Powered-By;
 +          rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last;
 +          rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last;
 +          rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
 +          rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
 +          location = /.well-known/carddav {
 +            return 301 $scheme://$host/remote.php/dav;
 +          }
 +          location = /.well-known/caldav {
 +            return 301 $scheme://$host/remote.php/dav;
 +          }
 +          location = /robots.txt {
 +            allow all;
 +            log_not_found off;
 +            access_log off;
 +          }
 +          location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
 +            deny all;
 +          }
 +          location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
 +            deny all;
 +          }
        tls:
          - secretName: nextcloud-tls
            hosts:
@@ -78,9 +102,6 @@ spec:
      cronjob:
        enabled: true
      nginx:
 -      startupProbe:
 -        enabled: true
 -        failureThreshold: 60
        enabled: true
        containerPort: 8080
      internalDatabase:

infrastructure/base/controllers/ingress-nginx.yaml

 +apiVersion: v1
 +kind: Namespace
 +metadata:
 +  labels:
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +  name: ingress-nginx
 +---
 +apiVersion: v1
 +automountServiceAccountToken: true
 +kind: ServiceAccount
 +metadata:
 +  labels:
 +    app.kubernetes.io/component: controller
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +    app.kubernetes.io/part-of: ingress-nginx
 +    app.kubernetes.io/version: 1.12.0
 +  name: ingress-nginx
 +  namespace: ingress-nginx
 +---
 +apiVersion: v1
 +automountServiceAccountToken: true
 +kind: ServiceAccount
 +metadata:
 +  labels:
 +    app.kubernetes.io/component: admission-webhook
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +    app.kubernetes.io/part-of: ingress-nginx
 +    app.kubernetes.io/version: 1.12.0
 +  name: ingress-nginx-admission
 +  namespace: ingress-nginx
 +---
 +apiVersion: rbac.authorization.k8s.io/v1
 +kind: Role
 +metadata:
 +  labels:
 +    app.kubernetes.io/component: controller
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +    app.kubernetes.io/part-of: ingress-nginx
 +    app.kubernetes.io/version: 1.12.0
 +  name: ingress-nginx
 +  namespace: ingress-nginx
 +rules:
 +  - apiGroups:
 +      - ""
 +    resources:
 +      - namespaces
 +    verbs:
 +      - get
 +  - apiGroups:
 +      - ""
 +    resources:
 +      - configmaps
 +      - pods
 +      - secrets
 +      - endpoints
 +    verbs:
 +      - get
 +      - list
 +      - watch
 +  - apiGroups:
 +      - ""
 +    resources:
 +      - services
 +    verbs:
 +      - get
 +      - list
 +      - watch
 +  - apiGroups:
 +      - networking.k8s.io
 +    resources:
 +      - ingresses
 +    verbs:
 +      - get
 +      - list
 +      - watch
 +  - apiGroups:
 +      - networking.k8s.io
 +    resources:
 +      - ingresses/status
 +    verbs:
 +      - update
 +  - apiGroups:
 +      - networking.k8s.io
 +    resources:
 +      - ingressclasses
 +    verbs:
 +      - get
 +      - list
 +      - watch
 +  - apiGroups:
 +      - coordination.k8s.io
 +    resourceNames:
 +      - ingress-nginx-leader
 +    resources:
 +      - leases
 +    verbs:
 +      - get
 +      - update
 +  - apiGroups:
 +      - coordination.k8s.io
 +    resources:
 +      - leases
 +    verbs:
 +      - create
 +  - apiGroups:
 +      - ""
 +    resources:
 +      - events
 +    verbs:
 +      - create
 +      - patch
 +  - apiGroups:
 +      - discovery.k8s.io
 +    resources:
 +      - endpointslices
 +    verbs:
 +      - list
 +      - watch
 +      - get
 +---
 +apiVersion: rbac.authorization.k8s.io/v1
 +kind: Role
 +metadata:
 +  labels:
 +    app.kubernetes.io/component: admission-webhook
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +    app.kubernetes.io/part-of: ingress-nginx
 +    app.kubernetes.io/version: 1.12.0
 +  name: ingress-nginx-admission
 +  namespace: ingress-nginx
 +rules:
 +  - apiGroups:
 +      - ""
 +    resources:
 +      - secrets
 +    verbs:
 +      - get
 +      - create
 +---
 +apiVersion: rbac.authorization.k8s.io/v1
 +kind: ClusterRole
 +metadata:
 +  labels:
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +    app.kubernetes.io/part-of: ingress-nginx
 +    app.kubernetes.io/version: 1.12.0
 +  name: ingress-nginx
 +rules:
 +  - apiGroups:
 +      - ""
 +    resources:
 +      - configmaps
 +      - endpoints
 +      - nodes
 +      - pods
 +      - secrets
 +      - namespaces
 +    verbs:
 +      - list
 +      - watch
 +  - apiGroups:
 +      - coordination.k8s.io
 +    resources:
 +      - leases
 +    verbs:
 +      - list
 +      - watch
 +  - apiGroups:
 +      - ""
 +    resources:
 +      - nodes
 +    verbs:
 +      - get
 +  - apiGroups:
 +      - ""
 +    resources:
 +      - services
 +    verbs:
 +      - get
 +      - list
 +      - watch
 +  - apiGroups:
 +      - networking.k8s.io
 +    resources:
 +      - ingresses
 +    verbs:
 +      - get
 +      - list
 +      - watch
 +  - apiGroups:
 +      - ""
 +    resources:
 +      - events
 +    verbs:
 +      - create
 +      - patch
 +  - apiGroups:
 +      - networking.k8s.io
 +    resources:
 +      - ingresses/status
 +    verbs:
 +      - update
 +  - apiGroups:
 +      - networking.k8s.io
 +    resources:
 +      - ingressclasses
 +    verbs:
 +      - get
 +      - list
 +      - watch
 +  - apiGroups:
 +      - discovery.k8s.io
 +    resources:
 +      - endpointslices
 +    verbs:
 +      - list
 +      - watch
 +      - get
 +---
 +apiVersion: rbac.authorization.k8s.io/v1
 +kind: ClusterRole
 +metadata:
 +  labels:
 +    app.kubernetes.io/component: admission-webhook
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +    app.kubernetes.io/part-of: ingress-nginx
 +    app.kubernetes.io/version: 1.12.0
 +  name: ingress-nginx-admission
 +rules:
 +  - apiGroups:
 +      - admissionregistration.k8s.io
 +    resources:
 +      - validatingwebhookconfigurations
 +    verbs:
 +      - get
 +      - update
 +---
 +apiVersion: rbac.authorization.k8s.io/v1
 +kind: RoleBinding
 +metadata:
 +  labels:
 +    app.kubernetes.io/component: controller
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +    app.kubernetes.io/part-of: ingress-nginx
 +    app.kubernetes.io/version: 1.12.0
 +  name: ingress-nginx
 +  namespace: ingress-nginx
 +roleRef:
 +  apiGroup: rbac.authorization.k8s.io
 +  kind: Role
 +  name: ingress-nginx
 +subjects:
 +  - kind: ServiceAccount
 +    name: ingress-nginx
 +    namespace: ingress-nginx
 +---
 +apiVersion: rbac.authorization.k8s.io/v1
 +kind: RoleBinding
 +metadata:
 +  labels:
 +    app.kubernetes.io/component: admission-webhook
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +    app.kubernetes.io/part-of: ingress-nginx
 +    app.kubernetes.io/version: 1.12.0
 +  name: ingress-nginx-admission
 +  namespace: ingress-nginx
 +roleRef:
 +  apiGroup: rbac.authorization.k8s.io
 +  kind: Role
 +  name: ingress-nginx-admission
 +subjects:
 +  - kind: ServiceAccount
 +    name: ingress-nginx-admission
 +    namespace: ingress-nginx
 +---
 +apiVersion: rbac.authorization.k8s.io/v1
 +kind: ClusterRoleBinding
 +metadata:
 +  labels:
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +    app.kubernetes.io/part-of: ingress-nginx
 +    app.kubernetes.io/version: 1.12.0
 +  name: ingress-nginx
 +roleRef:
 +  apiGroup: rbac.authorization.k8s.io
 +  kind: ClusterRole
 +  name: ingress-nginx
 +subjects:
 +  - kind: ServiceAccount
 +    name: ingress-nginx
 +    namespace: ingress-nginx
 +---
 +apiVersion: rbac.authorization.k8s.io/v1
 +kind: ClusterRoleBinding
 +metadata:
 +  labels:
 +    app.kubernetes.io/component: admission-webhook
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +    app.kubernetes.io/part-of: ingress-nginx
 +    app.kubernetes.io/version: 1.12.0
 +  name: ingress-nginx-admission
 +roleRef:
 +  apiGroup: rbac.authorization.k8s.io
 +  kind: ClusterRole
 +  name: ingress-nginx-admission
 +subjects:
 +  - kind: ServiceAccount
 +    name: ingress-nginx-admission
 +    namespace: ingress-nginx
 +---
 +apiVersion: v1
 +data: null
 +kind: ConfigMap
 +metadata:
 +  labels:
 +    app.kubernetes.io/component: controller
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +    app.kubernetes.io/part-of: ingress-nginx
 +    app.kubernetes.io/version: 1.12.0
 +  name: ingress-nginx-controller
 +  namespace: ingress-nginx
 +---
 +apiVersion: v1
 +kind: Service
 +metadata:
 +  labels:
 +    app.kubernetes.io/component: controller
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +    app.kubernetes.io/part-of: ingress-nginx
 +    app.kubernetes.io/version: 1.12.0
 +  name: ingress-nginx-controller
 +  namespace: ingress-nginx
 +spec:
 +  ipFamilies:
 +    - IPv4
 +  ipFamilyPolicy: SingleStack
 +  ports:
 +    - appProtocol: http
 +      name: http
 +      port: 80
 +      protocol: TCP
 +      targetPort: http
 +    - appProtocol: https
 +      name: https
 +      port: 443
 +      protocol: TCP
 +      targetPort: https
 +  selector:
 +    app.kubernetes.io/component: controller
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +  type: LoadBalancer
 +---
 +apiVersion: v1
 +kind: Service
 +metadata:
 +  labels:
 +    app.kubernetes.io/component: controller
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +    app.kubernetes.io/part-of: ingress-nginx
 +    app.kubernetes.io/version: 1.12.0
 +  name: ingress-nginx-controller-admission
 +  namespace: ingress-nginx
 +spec:
 +  ports:
 +    - appProtocol: https
 +      name: https-webhook
 +      port: 443
 +      targetPort: webhook
 +  selector:
 +    app.kubernetes.io/component: controller
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +  type: ClusterIP
 +---
 +apiVersion: apps/v1
 +kind: Deployment
 +metadata:
 +  labels:
 +    app.kubernetes.io/component: controller
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +    app.kubernetes.io/part-of: ingress-nginx
 +    app.kubernetes.io/version: 1.12.0
 +  name: ingress-nginx-controller
 +  namespace: ingress-nginx
 +spec:
 +  replicas: 3
 +  minReadySeconds: 0
 +  revisionHistoryLimit: 10
 +  selector:
 +    matchLabels:
 +      app.kubernetes.io/component: controller
 +      app.kubernetes.io/instance: ingress-nginx
 +      app.kubernetes.io/name: ingress-nginx
 +  strategy:
 +    rollingUpdate:
 +      maxUnavailable: 1
 +    type: RollingUpdate
 +  template:
 +    metadata:
 +      labels:
 +        app.kubernetes.io/component: controller
 +        app.kubernetes.io/instance: ingress-nginx
 +        app.kubernetes.io/name: ingress-nginx
 +        app.kubernetes.io/part-of: ingress-nginx
 +        app.kubernetes.io/version: 1.12.0
 +    spec:
 +      containers:
 +        - args:
 +            - /nginx-ingress-controller
 +            - --election-id=ingress-nginx-leader
 +            - --controller-class=k8s.io/ingress-nginx
 +            - --ingress-class=nginx
 +            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
 +            - --validating-webhook=:8443
 +            - --validating-webhook-certificate=/usr/local/certificates/cert
 +            - --validating-webhook-key=/usr/local/certificates/key
 +          env:
 +            - name: POD_NAME
 +              valueFrom:
 +                fieldRef:
 +                  fieldPath: metadata.name
 +            - name: POD_NAMESPACE
 +              valueFrom:
 +                fieldRef:
 +                  fieldPath: metadata.namespace
 +            - name: LD_PRELOAD
 +              value: /usr/local/lib/libmimalloc.so
 +          image: registry.k8s.io/ingress-nginx/controller:v1.11.5@sha256:a1cbad75b0a7098bf9325132794dddf9eef917e8a7fe246749a4cea7ff6f01eb
 +          imagePullPolicy: IfNotPresent
 +          lifecycle:
 +            preStop:
 +              exec:
 +                command:
 +                  - /wait-shutdown
 +          livenessProbe:
 +            failureThreshold: 5
 +            httpGet:
 +              path: /healthz
 +              port: 10254
 +              scheme: HTTP
 +            initialDelaySeconds: 10
 +            periodSeconds: 10
 +            successThreshold: 1
 +            timeoutSeconds: 1
 +          name: controller
 +          ports:
 +            - containerPort: 80
 +              name: http
 +              protocol: TCP
 +            - containerPort: 443
 +              name: https
 +              protocol: TCP
 +            - containerPort: 8443
 +              name: webhook
 +              protocol: TCP
 +          readinessProbe:
 +            failureThreshold: 3
 +            httpGet:
 +              path: /healthz
 +              port: 10254
 +              scheme: HTTP
 +            initialDelaySeconds: 10
 +            periodSeconds: 10
 +            successThreshold: 1
 +            timeoutSeconds: 1
 +          resources:
 +            requests:
 +              cpu: 100m
 +              memory: 90Mi
 +          securityContext:
 +            allowPrivilegeEscalation: false
 +            capabilities:
 +              add:
 +                - NET_BIND_SERVICE
 +              drop:
 +                - ALL
 +            readOnlyRootFilesystem: false
 +            runAsGroup: 82
 +            runAsNonRoot: true
 +            runAsUser: 101
 +            seccompProfile:
 +              type: RuntimeDefault
 +          volumeMounts:
 +            - mountPath: /usr/local/certificates/
 +              name: webhook-cert
 +              readOnly: true
 +      dnsPolicy: ClusterFirst
 +      nodeSelector:
 +        kubernetes.io/os: linux
 +      serviceAccountName: ingress-nginx
 +      terminationGracePeriodSeconds: 300
 +      volumes:
 +        - name: webhook-cert
 +          secret:
 +            secretName: ingress-nginx-admission
 +---
 +apiVersion: batch/v1
 +kind: Job
 +metadata:
 +  labels:
 +    app.kubernetes.io/component: admission-webhook
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +    app.kubernetes.io/part-of: ingress-nginx
 +    app.kubernetes.io/version: 1.12.0
 +  name: ingress-nginx-admission-create
 +  namespace: ingress-nginx
 +spec:
 +  template:
 +    metadata:
 +      labels:
 +        app.kubernetes.io/component: admission-webhook
 +        app.kubernetes.io/instance: ingress-nginx
 +        app.kubernetes.io/name: ingress-nginx
 +        app.kubernetes.io/part-of: ingress-nginx
 +        app.kubernetes.io/version: 1.12.0
 +      name: ingress-nginx-admission-create
 +    spec:
 +      containers:
 +        - args:
 +            - create
 +            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
 +            - --namespace=$(POD_NAMESPACE)
 +            - --secret-name=ingress-nginx-admission
 +          env:
 +            - name: POD_NAMESPACE
 +              valueFrom:
 +                fieldRef:
 +                  fieldPath: metadata.namespace
 +          image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
 +          imagePullPolicy: IfNotPresent
 +          name: create
 +          securityContext:
 +            allowPrivilegeEscalation: false
 +            capabilities:
 +              drop:
 +                - ALL
 +            readOnlyRootFilesystem: true
 +            runAsGroup: 65532
 +            runAsNonRoot: true
 +            runAsUser: 65532
 +            seccompProfile:
 +              type: RuntimeDefault
 +      nodeSelector:
 +        kubernetes.io/os: linux
 +      restartPolicy: OnFailure
 +      serviceAccountName: ingress-nginx-admission
 +---
 +apiVersion: batch/v1
 +kind: Job
 +metadata:
 +  labels:
 +    app.kubernetes.io/component: admission-webhook
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +    app.kubernetes.io/part-of: ingress-nginx
 +    app.kubernetes.io/version: 1.12.0
 +  name: ingress-nginx-admission-patch
 +  namespace: ingress-nginx
 +spec:
 +  template:
 +    metadata:
 +      labels:
 +        app.kubernetes.io/component: admission-webhook
 +        app.kubernetes.io/instance: ingress-nginx
 +        app.kubernetes.io/name: ingress-nginx
 +        app.kubernetes.io/part-of: ingress-nginx
 +        app.kubernetes.io/version: 1.12.0
 +      name: ingress-nginx-admission-patch
 +    spec:
 +      containers:
 +        - args:
 +            - patch
 +            - --webhook-name=ingress-nginx-admission
 +            - --namespace=$(POD_NAMESPACE)
 +            - --patch-mutating=false
 +            - --secret-name=ingress-nginx-admission
 +            - --patch-failure-policy=Fail
 +          env:
 +            - name: POD_NAMESPACE
 +              valueFrom:
 +                fieldRef:
 +                  fieldPath: metadata.namespace
 +          image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
 +          imagePullPolicy: IfNotPresent
 +          name: patch
 +          securityContext:
 +            allowPrivilegeEscalation: false
 +            capabilities:
 +              drop:
 +                - ALL
 +            readOnlyRootFilesystem: true
 +            runAsGroup: 65532
 +            runAsNonRoot: true
 +            runAsUser: 65532
 +            seccompProfile:
 +              type: RuntimeDefault
 +      nodeSelector:
 +        kubernetes.io/os: linux
 +      restartPolicy: OnFailure
 +      serviceAccountName: ingress-nginx-admission
 +---
 +apiVersion: networking.k8s.io/v1
 +kind: IngressClass
 +metadata:
 +  labels:
 +    app.kubernetes.io/component: controller
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +    app.kubernetes.io/part-of: ingress-nginx
 +    app.kubernetes.io/version: 1.12.0
 +  name: nginx
 +spec:
 +  controller: k8s.io/ingress-nginx
 +---
 +apiVersion: admissionregistration.k8s.io/v1
 +kind: ValidatingWebhookConfiguration
 +metadata:
 +  labels:
 +    app.kubernetes.io/component: admission-webhook
 +    app.kubernetes.io/instance: ingress-nginx
 +    app.kubernetes.io/name: ingress-nginx
 +    app.kubernetes.io/part-of: ingress-nginx
 +    app.kubernetes.io/version: 1.12.0
 +  name: ingress-nginx-admission
 +webhooks:
 +  - admissionReviewVersions:
 +      - v1
 +    clientConfig:
 +      service:
 +        name: ingress-nginx-controller-admission
 +        namespace: ingress-nginx
 +        path: /networking/v1/ingresses
 +        port: 443
 +    failurePolicy: Fail
 +    matchPolicy: Equivalent
 +    name: validate.nginx.ingress.kubernetes.io
 +    rules:
 +      - apiGroups:
 +          - networking.k8s.io
 +        apiVersions:
 +          - v1
 +        operations:
 +          - CREATE
 +          - UPDATE
 +        resources:
 +          - ingresses
 +    sideEffects: None